" without suggesting - given previous claims that national security agencies routinely intercept hardware deliveries in transit in order to inject malicious code - exactly how one would be sure of that fact.

I would think you'd have a database somewhere with hashes of said firmware so you can compare. Problem being that of course they could intercept your link to said database and inject a fake hash to make it seem OK.
So perhaps you need to go to another country like Russia and consult a DB there to be sure. While simultaneously Russians would go to another country to make sure their government didn't mess with their systems.
Anyway - it's good news for the airlines I guess